SlideShare a Scribd company logo

1- iscsi security.pdf

Y
ycelgemici1

about iscsi security notes

Engineering
1 of 46
Download to read offline
iSCSI Security (Insecure SCSI) Presenter: Himanshu Dwivedi
www.isecpartners.com Agenda • Introduction • iSCSI Attacks – Enumeration – Authorization – Authentication • iSCSI Defenses
www.isecpartners.com Information Security Partners (iSEC) • iSEC Partners – Independent security consulting and product organization • Our Focus – Application Security • Java, C++ and .NET applications • Attacking Web Services (XML, SOAP) – Alex Stamos and Scott Stender – Network Security • Firewalls, Routers/Switches, VPNs, and Operating Systems – Storage Security • NAS, iSCSI, and SANs – Product Security • Software Applications (home grown and commercial off-the shelf) • Hardware Appliances (devices) • For more information – https://www.isecpartners.com
www.isecpartners.com Introduction • iSCSI i = Internet Protocol SCSI = Small Computer System Interface iSCSI = Insecure SCSI • What is iSCSI? – iSCSI (Internet Small Computer Systems Interface) provides access to block level data over traditional IP networks – SCSI blocks have mostly been used with Fibre Channel SANs – Unlike NAS storage devices using CIFS/NFS at the file level, SCSI blocks work at lower levels by offering entire data stores (LUNs) to iSCSI clients
www.isecpartners.com Introduction • Block level vs. File level – File Level: CIFS (SMB) and NFS file systems over a network connection – Block Level: The actually drive (not the file system) over a network – Simplistic example: A file system versus an entire hard drive • Security and iSCSI – Authentication – CHAP (weak) – Authorization – Initiator Node Names (spoof-able) – Encryption – IPSec shared secret (deployment challenges) • Why should we care? – A compromise of a single iSCSI device equates to the compromise of several (10 to 100) operating systems at once! • Who cares about admin, root, or system accounts when the entire data store can be compromised?
www.isecpartners.com Introduction • What *some* vendors say about iSCSI Security • Implies trusting everyone (employees, vendors, business partners, guests, contractors, consultants, wireless users, and remote VPN users) that is connected to the internal network Agree to….. - Remove all file permissions from all folders in every operating system - Allow everyone to read everyone else's email - Remove all passwords from databases - Allow everyone to view HR information (Soc Sec Numbers, Salaries) - Tell the Auditors that “Internal controls are for sissies”
www.isecpartners.com Introduction • iSCSI Architecture Components – iSCSI Initiator: An iSCSI client – iSCSI Target: An iSCSI storage device/appliance – iSNS (optional): iSCSI Name Services (A table that groups iSCSI Initiators and Targets in Domain Sets for logical segmentation • Terms and Definitions – iQN: Initiator Node Name (Identity value for iSCSI clients, similar to MAC addresses) – Domain Sets: Logical segmentation of iSCSI entities (Targets and Initiators into separate groups) – LUNs: Logical Unit Numbers (A logical array of storage units. One storage entity can be divided into multiple LUNs)
www.isecpartners.com Introduction • iSCSI Initiators – iSCSI Clients – Use a regular NIC (IP) with an iSCSI client driver • iSCSI Drivers – Microsoft – Cisco – IBM – HP • NO special hardware required • Works over existing IP networks iSCSI Driver
www.isecpartners.com Introduction • iSCSI Targets – iSCSI Devices (Appliances)/Servers – Offer large volumes of data (block level) over the IP network • iSCSI Vendors – Cisco – EMC – Network Appliance – HP – IBM • Listens on TCP port 3260 iSCSI Device
www.isecpartners.com Introduction • Example iSCSI Architecture Network LUN = Local = LUN 1 LUN 2 LUN 3 LUN 4 iSCSI Connection iqn.1991-05.com.Microsoft:123 iqn.1987-05.com.cisco:456
www.isecpartners.com Introduction • iSCSI allows block data to be available over the IP network Network Local Operating System (iSCSI Initiator) iSCSI Device (iSCSI Target)
www.isecpartners.com OS Introduction • iSNS Servers (iSCSI Simple Name Services) – Software that runs on an operating system or an iSCSI Device – iSCSI initiators and targets register with the iSNS server • Similar to DNS – An iSNS server is responsible for: • Informing iSCSI clients about which iSCSI targets are available on the network • Grouping iSCSI clients to their correct Domain Set • Informing iSCSI clients what security aspects (if any) they must use to associate to targets – Listens on port TCP 3205. iSCSI Device iSNS Server
www.isecpartners.com Introduction • iSNS Model XYZ iSCSI Storage Device iSCSI Client iSNS Server 123 iSCSI Storage Device iSNS Registration Available iSCSI Targets….for your Domain Set iqn.1987-05.com.XYZ:111773 Query iSNS information iqn.1991-05.com.microsoft:win2003 Exchange Domain iqn.1991-05.com.microsoft:win2004-hd iqn.1992-08.com.123:112699 Default Domain Set iqn.1991-05.com.microsoft:win2003 iqn.1987-05.com.XYZ:111773 iSNS Registration iqn.1987-05.com .XYZ:111773
www.isecpartners.com Introduction • iSNS Example
www.isecpartners.com Introduction Top 5 iSCSI Security Issues 1. iQN Values are trusted a. iQN are spoof-able, sniff-able, and can be brute-forced 2. iSCSI Authorization is the only required security entity, which relies on iQN values 3. iSCSI Authentication is disabled by default 4. iSCSI Authentication uses CHAP 5. iSNS servers are not protected iSCSI is a clear text protocol
www.isecpartners.com iSCSI Enumeration
www.isecpartners.com iSCSI Enumeration • Scanning iSCSI Targets (Devices) – TCP port 3260 and 3205 – StorScan is a focused port scanner for storage devices • iSCSI SANs and IP NAS • Yes. Nmap is much better, but StorScan is focused (filtered) – storscan.exe <range>
www.isecpartners.com iSCSI Enumeration • Enumeration – iSCSI Targets (iSCSI Devices) • Listen on TCP port 3260 – iSNS • Listen on TCP port 3205 – iSCSI Clients • Do not listen on a port, but can be enumerated from the iSNS server
www.isecpartners.com iSCSI Enumeration • iSNS registration – If unique Domain Sets are not created, each iqn will be placed in the Default Domain Set. – Any member of a domain set will be able to enumerate/access the other nodes in the same domain set • This is why it is important to move nodes out of the Default Domain Set – Foo can 1. Scan for port 3205 and find a iSNS server 2. Connect to the iSNS server 3. Enumerate the other iSCSI nodes, which can now be used for iqn spoofing attacks (described later)
www.isecpartners.com iSCSI Enumeration • iSNS Man-in-the-Middle – Identify iSNS server on port 3205 – Using layer 2 ARP poisoning attacks, a fake iSNS server can replace the real iSNS server • The real iSNS will continue to receive iSNS information from targets and clients, but after the fake iSNS has control of the packets • This allows the fake iSNS server to – View all registrations (both targets and clients) – Modify or change Domain Sets – Downgrade Domain Sets that require security (remove authentication or encryption)
www.isecpartners.com iSCSI Enumeration • iSNS MITM iSCSI Client Real iSNS Server iSCSI Target Capture iQNs Modify Domain Sets Modify Security Requirements Fake iSNS Server
www.isecpartners.com iSCSI Authorization
www.isecpartners.com iSCSI Authorization • iSCSI – Authorization (Required) • Required iSCSI Security component • Initiator Node Name – Only unknown variable is the end string » iqn.1991-05.com.microsoft:HOSTNAME » iqn.1987-05.com.cisco:xxxxxx » iqn.1992-08.com.ibm:<partition identifier> – iQNs traverse the network in CLEAR-TEXT » Easily sniffable, guessable, or enumerated • An attacker can get access to large amounts of data with little effort
www.isecpartners.com iSCSI Authorization • iSCSI Authorization Attack – Sniff iSCSI Communication • Port 3260 • Get Initiator Node Names – Spoof the Initiator Node Name • Change Initiator name with iSCSI driver – See Data • Gain access to confidential and sensitive data
www.isecpartners.com iSCSI Security • iSCSI Attack Demo iSCSI Storage Device Trusted iSCSI Client Malicious iSCSI Client IP Switch LUN 0001 LUN 0002 Trusted Client has access to LUN 0001 iqn.1991-05.com.microsoft:win2003-hd iqn.1991-05.com.microsoft:win2003-hd = LUN 0001 iqn.1991-05.com.microsoft:jum4nj1 Malicious client will perform three steps to get access to trusted data: 1. Sniff 2. Spoof 3. See Data iqn.1991-05.com.microsoft:win2003-hd
www.isecpartners.com iSCSI Security • iSCSI Attack Demo LUN 0005 LUN 0004 LUN 0003 LUN 0002 iSCSI Storage Device Trusted iSCSI Client Malicious iSCSI Client IP Switch LUN 0001 LUN 0010 LUN 0009 LUN 0008 LUN 0007 LUN 0006 Trusted Client has access to LUN 0001, 0002, 0003, 0004, and 0005 iqn.1987-05.com.cisco:01.1e2d66bf412c iqn.1987-05.com.cisco:01.1e2d66bf412 = LUN 0001 thru LUN 0005 iqn.1991-05.com.microsoft:win2003 Malicious client will perform three steps to get access to trusted data: 1. Sniff 2. Spoof 3. See Data iqn.1987-05.com.cisco:01.1e2d66bf412c
www.isecpartners.com iSNS Domain Hopping • iSNS Domain (iGroup) Hopping – Similar to VLAN hopping and Zone hopping (Fibre channel) – Discovery Domains/iGroups rely on the iQN value of a node for identification – If a node simply spoofs the iQN value to match the iQN of their target, the iSNS server will automatically update and overwrite the legitimate node’s information with the attacker’s spoofed information • Domain/iGroup Damage: – At a minimum, this is a Denial of Service Attack – At a maximum, this would allow unauthorized hosts to access targets (and their data LUNs) in restricted domains
www.isecpartners.com iSNS Domain Hopping • iSNS Domain Hopping iSNS Registration iqn.1991-05.com.microsoft:win2003 Trusted Domain Entity iqn.1991-05.com.microsoft:win2003 win2003 Default Domain Set Entity iqn.1991-05.com.microsoft:isec isec iSNS Registration iqn.1991-05.com .m icrosoft:isec iqn.1991-05.com .m icrosoft:win2003 iqn.1991-05.com.microsoft:win2003 isec Win2003 isec iqn.1991-05.com.aum:iscsi iscsi
www.isecpartners.com iSNS Domain Hopping After… Before …
www.isecpartners.com iSCSI Authentication
www.isecpartners.com iSCSI Authentication • iSCSI Security – Authentication: Optional Security • Optional iSCSI Security component – Authentication (CHAP) – Vulnerable to several attack types: » Sniffing of usernames » Off-line brute force attack of secret (password) » Message reflection attack
www.isecpartners.com iSCSI Authentication • iSCSI Attack Demo iSCSI Storage Device iSCSI Client Attacker Auth Request CHAP ID and Message Challenge CHAP_I= 194 CHAP_C= e500370b (ID + secret +challege)MD5 = Hash (CHAP_R) CHAP Hash CHAP_R = c0d749fd2be1226c891e3c21d45016cd (ID + secret +challege)MD5 = Hash (CHAP_R) ID (CHAP_I) = 194 Challenge (CHAP_C) = e500370b Secret = ??????? Hash (CHAP_R) = c0d749fd2be1226c891e3c21d45016cd (194 + secret + e500370b) MD5 = c0d749fd2be1226c891e3c21d45016cd (194 + secret + e500370b) MD5 = c0d749fd2be1226c891e3c21d45016cd
www.isecpartners.com iSCSI Authentication • iSCSI Authentication Attack – CHAP: (ID + secret +challege)MD5 = Hash (CHAP_R) • Sample: (1 + x + 5)/2 = 5 • Sample: (1 + 1 + 5)/2 != 5 • Sample: (1 + 2 + 5)/2 != 5 • Sample: (1 + 3 + 5)/2 != 5 • Sample: (1 + 4 + 5)/2 = 5 – Sniff iSCSI Communication • Sniff port 3260 • Obtain – CHAP Username (CHAP_N) – CHAP ID (CHAP_I) – CHAP Message Challenge (CHAP_C) – Resulting Hash (CHAP_R) – Brute-force passwords (secret) • Off line dictionary attack of every English word – Compromise the secret (password) • After two hashes match, the password is compromised
www.isecpartners.com iSCSI Authentication: Offline Dictionary Attack iSCSI CHAP Password Tester … (www.isecpartners.com/tools.html)
www.isecpartners.com iSCSI Authentication: Offline Dictionary Attack Sniffed (Captured) Entities: - ID (CHAP_I): 194 - Message Challenge (CHAP_C): e500370b - Secret: ?????? - Hash (CHAP_R): c0d749fd2be1226c891e3c21d45016cd (ID + Dictionary Word + Message Challenge) MD5 = Hash 194 Hello e500370b 81d0c90ad83d06bf0f51ce944f9c0341 194 My e500370b 2db5f956905e85e6fd242a54d9213e9a 194 Name e500370b 08dd57f2fcb535ae6c3d32716d54c97c 194 Is e500370b bc7329be2a9fa99fa596802b6a00424d 194 Kusum e500370b 13ec91aeb5ea120e971a29ad0e2d0e86 194 And e500370b 0708568450c40b67fc885e6685579cc4 194 My e500370b 2db5f956905e85e6fd242a54d9213e9a 194 Voice e500370b 28b255f4e1ecbe44e8c7827d039b523e 194 Is e500370b bc7329be2a9fa99fa596802b6a00424d 194 My e500370b 2db5f956905e85e6fd242a54d9213e9a 194 Passport e500370b 4983811b661e3d1dfda16a1c39f2b201 194 Verify e500370b 629c2a938740d0332042b486db58b8dd 194 Me e500370b efb2712166bfafe7fcf6b3c0f0cf60d3 194 iscsisecurity e500370b c0d749fd2be1226c891e3c21d45016cd Actual Secret: iscsisecurity
www.isecpartners.com iSCSI Authentication: Offline Dictionary Attack iSCSI CHAP Password Tester:
www.isecpartners.com iSCSI Authentication • Message Reflection Attacks – Reflection of a CHAP message challenge across multiple connections • Overview – An attacker (iSCSI client) would request authentication to a iSCSI target • The client receives the CHAP ID and Challenge – Since the attacker does not know the secret (password), it cannot formulate the correct MD5 hash. However, the attacker can open a completely separate connection to the target (connection number 2) and force the Target to authenticate to it • The RFC states that any iSCSI target must response to authentication requests be default! – The Target receives the same ID and Challenge it just sent to the client (but in a different connection) and also knows the correct secret. The target will formulate the correct MD5 hash and pass it back, as if it were trying to authenticate to the client – This essentially gives the attacker (the client) the correct MD5 hash to authenticate in the iSCSI Target in the first connection!
www.isecpartners.com iSCSI Authentication • Message Reflection iSCSI Storage Device iSCSI Client (Attacker) Auth Request CHAP ID and Message Challenge CHAP_I= 194 CHAP_C= e500370b CHAP Hash CHAP_R = c0d749fd2be1226c891e3c21d45016cd (ID + secret +challege)MD5 = Hash (CHAP_R) (194 + secret + e500370b) MD5 = c0d749fd2be1226c891e3c21d45016cd CHAP ID and Message Challenge CHAP_I= 194 CHAP_C= e500370b CHAP Hash CHAP_R = c0d749fd2be1226c891e3c21d45016cd !!! Connection 1 Connection 2
www.isecpartners.com iSCSI Petty Problems
www.isecpartners.com iSCSI Petty Problems • Microsoft iSCSI Client – Driver logs iSCSI secrets (passwords) that don’t conform to the correct size in the clear in the Event Viewer
www.isecpartners.com iSCSI Petty Problems • Microsoft iSCSI Client – The client’s CHAP secret is protected with ‘darkened circles’ but can be revealed with a box revealer
www.isecpartners.com iSCSI Petty Problems • Microsoft iSCSI Client – The client’s IPSec key is protected with ‘darkened circles’ but can be revealed with a box revealer
www.isecpartners.com iSCSI Defenses
www.isecpartners.com iSCSI Defenses • How to defend against these threats? – CONFIGURATION, CONFIGURATION, CONFIGURATION – Every iSCSI device should be secured just like an other operating system or application • Pay no attention to the man behind the curtain! – Audit your iSCSI storage devices/networks and assess the risk! • STORAGE need your security loving too!!! – iSCSI storage devices, which hold your DATA, are similar to everything else on the network…. • Vulnerable to attacks • Security holes and weaknesses • Need to be protected and secured
www.isecpartners.com iSCSI Defenses Top 10 iSCSI Security Recommendations • Specific configurations 1. Enable Mutual Authentication • Do not rely solely CHAP Auth 2. Create Multiple Discover Domains • Only use the Default Domain Sets for random registrations 3. Enable CRC checksums for integrity checking 4. Require iSNS IPSec (where possible) 5. Do not only rely on iQNs for security authorization values 6. Enable iSCSI IPSec (where possible) • Vendors! 7. Incorporate Kerberos 8. Enable authentication by default 9. Support iSNS authenticated heartbeats before registrations 10. Support iSNS security features in the RFC
www.isecpartners.com Questions Himanshu Dwivedi Himanshu Dwivedi • • hdwivedi@isecpartners.com hdwivedi@isecpartners.com or or hdwivedi@lokmail.com hdwivedi@lokmail.com Security Books Authored by presenter: Security Books Authored by presenter: • • Securing Storage Securing Storage • •Publish date: Fall 2005 Publish date: Fall 2005

Recommended

Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityHecrocro
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsAhmed Habib
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overviewali raza
 
ISCSI server configuration
ISCSI server configurationISCSI server configuration
ISCSI server configurationThamizharasan P
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Jarrett Plante
 
iSCSI for better or worse
iSCSI for better or worseiSCSI for better or worse
iSCSI for better or worseSteven Aiello
 
Cisco Security Agent - Eric Vanderburg
Cisco Security Agent - Eric VanderburgCisco Security Agent - Eric Vanderburg
Cisco Security Agent - Eric VanderburgEric Vanderburg
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 

Recommended

Pass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityPass4sure 640-554 Cisco IOS Network Security
Pass4sure 640-554 Cisco IOS Network SecurityHecrocro
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsAhmed Habib
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overviewali raza
 
ISCSI server configuration
ISCSI server configurationISCSI server configuration
ISCSI server configurationThamizharasan P
 
Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Hack proof your aws cloud cloudcheckr_040416
Hack proof your aws cloud cloudcheckr_040416Jarrett Plante
 
iSCSI for better or worse
iSCSI for better or worseiSCSI for better or worse
iSCSI for better or worseSteven Aiello
 
Cisco Security Agent - Eric Vanderburg
Cisco Security Agent - Eric VanderburgCisco Security Agent - Eric Vanderburg
Cisco Security Agent - Eric VanderburgEric Vanderburg
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 
Detailed iSCSI presentation
Detailed iSCSI presentationDetailed iSCSI presentation
Detailed iSCSI presentationSheel Sindhu Manohar
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskInductive Automation
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskInductive Automation
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0maaz khan
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214Mac An
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pixangelitoh11
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.pptDEEPAK948083
 
Kismet
KismetKismet
KismetNilesh Pawar
 
iSCSI: Internet Small Computer System Interface
iSCSI: Internet Small Computer System InterfaceiSCSI: Internet Small Computer System Interface
iSCSI: Internet Small Computer System InterfaceManoj Singh
 
Isa
IsaIsa
Isadeshvikas
 
Chapter 9
Chapter 9Chapter 9
Chapter 9Suchit Aher
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01slavenvvv
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
 
AWS Summit Nordics - Getting Started With AWS
AWS Summit Nordics - Getting Started With AWSAWS Summit Nordics - Getting Started With AWS
AWS Summit Nordics - Getting Started With AWSAmazon Web Services
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecRobb Boyd
 
hacking and crecjing
hacking and crecjinghacking and crecjing
hacking and crecjingparth jasani
 
The Pendulum Swings Back: Converged and Hyperconverged Environments
The Pendulum Swings Back: Converged and Hyperconverged EnvironmentsThe Pendulum Swings Back: Converged and Hyperconverged Environments
The Pendulum Swings Back: Converged and Hyperconverged EnvironmentsTony Pearson
 
Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunitiesATMOSPHERE .
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksNortheast Ohio Information Security Forum
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .DerechoLaboralIndivi
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 

More Related Content

Similar to 1- iscsi security.pdf

Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskInductive Automation
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskInductive Automation
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0maaz khan
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214Mac An
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pixangelitoh11
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.pptDEEPAK948083
 
iSCSI: Internet Small Computer System Interface
iSCSI: Internet Small Computer System InterfaceiSCSI: Internet Small Computer System Interface
iSCSI: Internet Small Computer System InterfaceManoj Singh
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01slavenvvv
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
 
AWS Summit Nordics - Getting Started With AWS
AWS Summit Nordics - Getting Started With AWSAWS Summit Nordics - Getting Started With AWS
AWS Summit Nordics - Getting Started With AWSAmazon Web Services
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecRobb Boyd
 
hacking and crecjing
hacking and crecjinghacking and crecjing
hacking and crecjingparth jasani
 
The Pendulum Swings Back: Converged and Hyperconverged Environments
The Pendulum Swings Back: Converged and Hyperconverged EnvironmentsThe Pendulum Swings Back: Converged and Hyperconverged Environments
The Pendulum Swings Back: Converged and Hyperconverged EnvironmentsTony Pearson
 
Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunitiesATMOSPHERE .
 

Similar to 1- iscsi security.pdf (20)

Detailed iSCSI presentation
Detailed iSCSI presentationDetailed iSCSI presentation
Detailed iSCSI presentation
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the RiskOpen and Secure SCADA: Efficient and Economical Control, Without the Risk
Open and Secure SCADA: Efficient and Economical Control, Without the Risk
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0
 
Brkcrt 2214
Brkcrt 2214Brkcrt 2214
Brkcrt 2214
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
ICS PPT Unit 4.ppt
ICS PPT Unit 4.pptICS PPT Unit 4.ppt
ICS PPT Unit 4.ppt
 
Kismet
KismetKismet
Kismet
 
iSCSI: Internet Small Computer System Interface
iSCSI: Internet Small Computer System InterfaceiSCSI: Internet Small Computer System Interface
iSCSI: Internet Small Computer System Interface
 
Isa
IsaIsa
Isa
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
 
AWS Summit Nordics - Getting Started With AWS
AWS Summit Nordics - Getting Started With AWSAWS Summit Nordics - Getting Started With AWS
AWS Summit Nordics - Getting Started With AWS
 
TechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSecTechWiseTV Workshop: Cisco TrustSec
TechWiseTV Workshop: Cisco TrustSec
 
hacking and crecjing
hacking and crecjinghacking and crecjing
hacking and crecjing
 
The Pendulum Swings Back: Converged and Hyperconverged Environments
The Pendulum Swings Back: Converged and Hyperconverged EnvironmentsThe Pendulum Swings Back: Converged and Hyperconverged Environments
The Pendulum Swings Back: Converged and Hyperconverged Environments
 
Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities Secure containers for trustworthy cloud services: business opportunities
Secure containers for trustworthy cloud services: business opportunities
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
 

Recently uploaded

Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01KreezheaRecto
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringmulugeta48
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startQuintin Balsdon
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 

Recently uploaded (20)

NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 

1- iscsi security.pdf

  • 2. www.isecpartners.com Agenda • Introduction • iSCSI Attacks – Enumeration – Authorization – Authentication • iSCSI Defenses
  • 3. www.isecpartners.com Information Security Partners (iSEC) • iSEC Partners – Independent security consulting and product organization • Our Focus – Application Security • Java, C++ and .NET applications • Attacking Web Services (XML, SOAP) – Alex Stamos and Scott Stender – Network Security • Firewalls, Routers/Switches, VPNs, and Operating Systems – Storage Security • NAS, iSCSI, and SANs – Product Security • Software Applications (home grown and commercial off-the shelf) • Hardware Appliances (devices) • For more information – https://www.isecpartners.com
  • 4. www.isecpartners.com Introduction • iSCSI i = Internet Protocol SCSI = Small Computer System Interface iSCSI = Insecure SCSI • What is iSCSI? – iSCSI (Internet Small Computer Systems Interface) provides access to block level data over traditional IP networks – SCSI blocks have mostly been used with Fibre Channel SANs – Unlike NAS storage devices using CIFS/NFS at the file level, SCSI blocks work at lower levels by offering entire data stores (LUNs) to iSCSI clients
  • 5. www.isecpartners.com Introduction • Block level vs. File level – File Level: CIFS (SMB) and NFS file systems over a network connection – Block Level: The actually drive (not the file system) over a network – Simplistic example: A file system versus an entire hard drive • Security and iSCSI – Authentication – CHAP (weak) – Authorization – Initiator Node Names (spoof-able) – Encryption – IPSec shared secret (deployment challenges) • Why should we care? – A compromise of a single iSCSI device equates to the compromise of several (10 to 100) operating systems at once! • Who cares about admin, root, or system accounts when the entire data store can be compromised?
  • 6. www.isecpartners.com Introduction • What *some* vendors say about iSCSI Security • Implies trusting everyone (employees, vendors, business partners, guests, contractors, consultants, wireless users, and remote VPN users) that is connected to the internal network Agree to….. - Remove all file permissions from all folders in every operating system - Allow everyone to read everyone else's email - Remove all passwords from databases - Allow everyone to view HR information (Soc Sec Numbers, Salaries) - Tell the Auditors that “Internal controls are for sissies”
  • 7. www.isecpartners.com Introduction • iSCSI Architecture Components – iSCSI Initiator: An iSCSI client – iSCSI Target: An iSCSI storage device/appliance – iSNS (optional): iSCSI Name Services (A table that groups iSCSI Initiators and Targets in Domain Sets for logical segmentation • Terms and Definitions – iQN: Initiator Node Name (Identity value for iSCSI clients, similar to MAC addresses) – Domain Sets: Logical segmentation of iSCSI entities (Targets and Initiators into separate groups) – LUNs: Logical Unit Numbers (A logical array of storage units. One storage entity can be divided into multiple LUNs)
  • 8. www.isecpartners.com Introduction • iSCSI Initiators – iSCSI Clients – Use a regular NIC (IP) with an iSCSI client driver • iSCSI Drivers – Microsoft – Cisco – IBM – HP • NO special hardware required • Works over existing IP networks iSCSI Driver
  • 9. www.isecpartners.com Introduction • iSCSI Targets – iSCSI Devices (Appliances)/Servers – Offer large volumes of data (block level) over the IP network • iSCSI Vendors – Cisco – EMC – Network Appliance – HP – IBM • Listens on TCP port 3260 iSCSI Device
  • 10. www.isecpartners.com Introduction • Example iSCSI Architecture Network LUN = Local = LUN 1 LUN 2 LUN 3 LUN 4 iSCSI Connection iqn.1991-05.com.Microsoft:123 iqn.1987-05.com.cisco:456
  • 11. www.isecpartners.com Introduction • iSCSI allows block data to be available over the IP network Network Local Operating System (iSCSI Initiator) iSCSI Device (iSCSI Target)
  • 12. www.isecpartners.com OS Introduction • iSNS Servers (iSCSI Simple Name Services) – Software that runs on an operating system or an iSCSI Device – iSCSI initiators and targets register with the iSNS server • Similar to DNS – An iSNS server is responsible for: • Informing iSCSI clients about which iSCSI targets are available on the network • Grouping iSCSI clients to their correct Domain Set • Informing iSCSI clients what security aspects (if any) they must use to associate to targets – Listens on port TCP 3205. iSCSI Device iSNS Server
  • 13. www.isecpartners.com Introduction • iSNS Model XYZ iSCSI Storage Device iSCSI Client iSNS Server 123 iSCSI Storage Device iSNS Registration Available iSCSI Targets….for your Domain Set iqn.1987-05.com.XYZ:111773 Query iSNS information iqn.1991-05.com.microsoft:win2003 Exchange Domain iqn.1991-05.com.microsoft:win2004-hd iqn.1992-08.com.123:112699 Default Domain Set iqn.1991-05.com.microsoft:win2003 iqn.1987-05.com.XYZ:111773 iSNS Registration iqn.1987-05.com .XYZ:111773
  • 15. www.isecpartners.com Introduction Top 5 iSCSI Security Issues 1. iQN Values are trusted a. iQN are spoof-able, sniff-able, and can be brute-forced 2. iSCSI Authorization is the only required security entity, which relies on iQN values 3. iSCSI Authentication is disabled by default 4. iSCSI Authentication uses CHAP 5. iSNS servers are not protected iSCSI is a clear text protocol
  • 17. www.isecpartners.com iSCSI Enumeration • Scanning iSCSI Targets (Devices) – TCP port 3260 and 3205 – StorScan is a focused port scanner for storage devices • iSCSI SANs and IP NAS • Yes. Nmap is much better, but StorScan is focused (filtered) – storscan.exe <range>
  • 18. www.isecpartners.com iSCSI Enumeration • Enumeration – iSCSI Targets (iSCSI Devices) • Listen on TCP port 3260 – iSNS • Listen on TCP port 3205 – iSCSI Clients • Do not listen on a port, but can be enumerated from the iSNS server
  • 19. www.isecpartners.com iSCSI Enumeration • iSNS registration – If unique Domain Sets are not created, each iqn will be placed in the Default Domain Set. – Any member of a domain set will be able to enumerate/access the other nodes in the same domain set • This is why it is important to move nodes out of the Default Domain Set – Foo can 1. Scan for port 3205 and find a iSNS server 2. Connect to the iSNS server 3. Enumerate the other iSCSI nodes, which can now be used for iqn spoofing attacks (described later)
  • 20. www.isecpartners.com iSCSI Enumeration • iSNS Man-in-the-Middle – Identify iSNS server on port 3205 – Using layer 2 ARP poisoning attacks, a fake iSNS server can replace the real iSNS server • The real iSNS will continue to receive iSNS information from targets and clients, but after the fake iSNS has control of the packets • This allows the fake iSNS server to – View all registrations (both targets and clients) – Modify or change Domain Sets – Downgrade Domain Sets that require security (remove authentication or encryption)
  • 21. www.isecpartners.com iSCSI Enumeration • iSNS MITM iSCSI Client Real iSNS Server iSCSI Target Capture iQNs Modify Domain Sets Modify Security Requirements Fake iSNS Server
  • 23. www.isecpartners.com iSCSI Authorization • iSCSI – Authorization (Required) • Required iSCSI Security component • Initiator Node Name – Only unknown variable is the end string » iqn.1991-05.com.microsoft:HOSTNAME » iqn.1987-05.com.cisco:xxxxxx » iqn.1992-08.com.ibm:<partition identifier> – iQNs traverse the network in CLEAR-TEXT » Easily sniffable, guessable, or enumerated • An attacker can get access to large amounts of data with little effort
  • 24. www.isecpartners.com iSCSI Authorization • iSCSI Authorization Attack – Sniff iSCSI Communication • Port 3260 • Get Initiator Node Names – Spoof the Initiator Node Name • Change Initiator name with iSCSI driver – See Data • Gain access to confidential and sensitive data
  • 25. www.isecpartners.com iSCSI Security • iSCSI Attack Demo iSCSI Storage Device Trusted iSCSI Client Malicious iSCSI Client IP Switch LUN 0001 LUN 0002 Trusted Client has access to LUN 0001 iqn.1991-05.com.microsoft:win2003-hd iqn.1991-05.com.microsoft:win2003-hd = LUN 0001 iqn.1991-05.com.microsoft:jum4nj1 Malicious client will perform three steps to get access to trusted data: 1. Sniff 2. Spoof 3. See Data iqn.1991-05.com.microsoft:win2003-hd
  • 26. www.isecpartners.com iSCSI Security • iSCSI Attack Demo LUN 0005 LUN 0004 LUN 0003 LUN 0002 iSCSI Storage Device Trusted iSCSI Client Malicious iSCSI Client IP Switch LUN 0001 LUN 0010 LUN 0009 LUN 0008 LUN 0007 LUN 0006 Trusted Client has access to LUN 0001, 0002, 0003, 0004, and 0005 iqn.1987-05.com.cisco:01.1e2d66bf412c iqn.1987-05.com.cisco:01.1e2d66bf412 = LUN 0001 thru LUN 0005 iqn.1991-05.com.microsoft:win2003 Malicious client will perform three steps to get access to trusted data: 1. Sniff 2. Spoof 3. See Data iqn.1987-05.com.cisco:01.1e2d66bf412c
  • 27. www.isecpartners.com iSNS Domain Hopping • iSNS Domain (iGroup) Hopping – Similar to VLAN hopping and Zone hopping (Fibre channel) – Discovery Domains/iGroups rely on the iQN value of a node for identification – If a node simply spoofs the iQN value to match the iQN of their target, the iSNS server will automatically update and overwrite the legitimate node’s information with the attacker’s spoofed information • Domain/iGroup Damage: – At a minimum, this is a Denial of Service Attack – At a maximum, this would allow unauthorized hosts to access targets (and their data LUNs) in restricted domains
  • 28. www.isecpartners.com iSNS Domain Hopping • iSNS Domain Hopping iSNS Registration iqn.1991-05.com.microsoft:win2003 Trusted Domain Entity iqn.1991-05.com.microsoft:win2003 win2003 Default Domain Set Entity iqn.1991-05.com.microsoft:isec isec iSNS Registration iqn.1991-05.com .m icrosoft:isec iqn.1991-05.com .m icrosoft:win2003 iqn.1991-05.com.microsoft:win2003 isec Win2003 isec iqn.1991-05.com.aum:iscsi iscsi
  • 31. www.isecpartners.com iSCSI Authentication • iSCSI Security – Authentication: Optional Security • Optional iSCSI Security component – Authentication (CHAP) – Vulnerable to several attack types: » Sniffing of usernames » Off-line brute force attack of secret (password) » Message reflection attack
  • 32. www.isecpartners.com iSCSI Authentication • iSCSI Attack Demo iSCSI Storage Device iSCSI Client Attacker Auth Request CHAP ID and Message Challenge CHAP_I= 194 CHAP_C= e500370b (ID + secret +challege)MD5 = Hash (CHAP_R) CHAP Hash CHAP_R = c0d749fd2be1226c891e3c21d45016cd (ID + secret +challege)MD5 = Hash (CHAP_R) ID (CHAP_I) = 194 Challenge (CHAP_C) = e500370b Secret = ??????? Hash (CHAP_R) = c0d749fd2be1226c891e3c21d45016cd (194 + secret + e500370b) MD5 = c0d749fd2be1226c891e3c21d45016cd (194 + secret + e500370b) MD5 = c0d749fd2be1226c891e3c21d45016cd
  • 33. www.isecpartners.com iSCSI Authentication • iSCSI Authentication Attack – CHAP: (ID + secret +challege)MD5 = Hash (CHAP_R) • Sample: (1 + x + 5)/2 = 5 • Sample: (1 + 1 + 5)/2 != 5 • Sample: (1 + 2 + 5)/2 != 5 • Sample: (1 + 3 + 5)/2 != 5 • Sample: (1 + 4 + 5)/2 = 5 – Sniff iSCSI Communication • Sniff port 3260 • Obtain – CHAP Username (CHAP_N) – CHAP ID (CHAP_I) – CHAP Message Challenge (CHAP_C) – Resulting Hash (CHAP_R) – Brute-force passwords (secret) • Off line dictionary attack of every English word – Compromise the secret (password) • After two hashes match, the password is compromised
  • 34. www.isecpartners.com iSCSI Authentication: Offline Dictionary Attack iSCSI CHAP Password Tester … (www.isecpartners.com/tools.html)
  • 35. www.isecpartners.com iSCSI Authentication: Offline Dictionary Attack Sniffed (Captured) Entities: - ID (CHAP_I): 194 - Message Challenge (CHAP_C): e500370b - Secret: ?????? - Hash (CHAP_R): c0d749fd2be1226c891e3c21d45016cd (ID + Dictionary Word + Message Challenge) MD5 = Hash 194 Hello e500370b 81d0c90ad83d06bf0f51ce944f9c0341 194 My e500370b 2db5f956905e85e6fd242a54d9213e9a 194 Name e500370b 08dd57f2fcb535ae6c3d32716d54c97c 194 Is e500370b bc7329be2a9fa99fa596802b6a00424d 194 Kusum e500370b 13ec91aeb5ea120e971a29ad0e2d0e86 194 And e500370b 0708568450c40b67fc885e6685579cc4 194 My e500370b 2db5f956905e85e6fd242a54d9213e9a 194 Voice e500370b 28b255f4e1ecbe44e8c7827d039b523e 194 Is e500370b bc7329be2a9fa99fa596802b6a00424d 194 My e500370b 2db5f956905e85e6fd242a54d9213e9a 194 Passport e500370b 4983811b661e3d1dfda16a1c39f2b201 194 Verify e500370b 629c2a938740d0332042b486db58b8dd 194 Me e500370b efb2712166bfafe7fcf6b3c0f0cf60d3 194 iscsisecurity e500370b c0d749fd2be1226c891e3c21d45016cd Actual Secret: iscsisecurity
  • 36. www.isecpartners.com iSCSI Authentication: Offline Dictionary Attack iSCSI CHAP Password Tester:
  • 37. www.isecpartners.com iSCSI Authentication • Message Reflection Attacks – Reflection of a CHAP message challenge across multiple connections • Overview – An attacker (iSCSI client) would request authentication to a iSCSI target • The client receives the CHAP ID and Challenge – Since the attacker does not know the secret (password), it cannot formulate the correct MD5 hash. However, the attacker can open a completely separate connection to the target (connection number 2) and force the Target to authenticate to it • The RFC states that any iSCSI target must response to authentication requests be default! – The Target receives the same ID and Challenge it just sent to the client (but in a different connection) and also knows the correct secret. The target will formulate the correct MD5 hash and pass it back, as if it were trying to authenticate to the client – This essentially gives the attacker (the client) the correct MD5 hash to authenticate in the iSCSI Target in the first connection!
  • 38. www.isecpartners.com iSCSI Authentication • Message Reflection iSCSI Storage Device iSCSI Client (Attacker) Auth Request CHAP ID and Message Challenge CHAP_I= 194 CHAP_C= e500370b CHAP Hash CHAP_R = c0d749fd2be1226c891e3c21d45016cd (ID + secret +challege)MD5 = Hash (CHAP_R) (194 + secret + e500370b) MD5 = c0d749fd2be1226c891e3c21d45016cd CHAP ID and Message Challenge CHAP_I= 194 CHAP_C= e500370b CHAP Hash CHAP_R = c0d749fd2be1226c891e3c21d45016cd !!! Connection 1 Connection 2
  • 40. www.isecpartners.com iSCSI Petty Problems • Microsoft iSCSI Client – Driver logs iSCSI secrets (passwords) that don’t conform to the correct size in the clear in the Event Viewer
  • 41. www.isecpartners.com iSCSI Petty Problems • Microsoft iSCSI Client – The client’s CHAP secret is protected with ‘darkened circles’ but can be revealed with a box revealer
  • 42. www.isecpartners.com iSCSI Petty Problems • Microsoft iSCSI Client – The client’s IPSec key is protected with ‘darkened circles’ but can be revealed with a box revealer
  • 44. www.isecpartners.com iSCSI Defenses • How to defend against these threats? – CONFIGURATION, CONFIGURATION, CONFIGURATION – Every iSCSI device should be secured just like an other operating system or application • Pay no attention to the man behind the curtain! – Audit your iSCSI storage devices/networks and assess the risk! • STORAGE need your security loving too!!! – iSCSI storage devices, which hold your DATA, are similar to everything else on the network…. • Vulnerable to attacks • Security holes and weaknesses • Need to be protected and secured
  • 45. www.isecpartners.com iSCSI Defenses Top 10 iSCSI Security Recommendations • Specific configurations 1. Enable Mutual Authentication • Do not rely solely CHAP Auth 2. Create Multiple Discover Domains • Only use the Default Domain Sets for random registrations 3. Enable CRC checksums for integrity checking 4. Require iSNS IPSec (where possible) 5. Do not only rely on iQNs for security authorization values 6. Enable iSCSI IPSec (where possible) • Vendors! 7. Incorporate Kerberos 8. Enable authentication by default 9. Support iSNS authenticated heartbeats before registrations 10. Support iSNS security features in the RFC
  • 46. www.isecpartners.com Questions Himanshu Dwivedi Himanshu Dwivedi • • hdwivedi@isecpartners.com hdwivedi@isecpartners.com or or hdwivedi@lokmail.com hdwivedi@lokmail.com Security Books Authored by presenter: Security Books Authored by presenter: • • Securing Storage Securing Storage • •Publish date: Fall 2005 Publish date: Fall 2005